Back to Intelligence

Tchap Government Messaging Breach: Detection and Hardening Against Single Account Compromise

SA
Security Arsenal Team
June 10, 2026
6 min read

Introduction

On June 7, 2026, ANSSI (France's National Cybersecurity Agency) detected a significant breach of Tchap, the French government's encrypted messaging platform. The incident highlights a critical vulnerability in even the most hardened government communications: the single account compromise vector. While Tchap was designed as a secure, mandatory communication channel for French civil servants, attackers successfully compromised a single account to access and exfiltrate data from public channels.

For defenders, this breach serves as a stark reminder that zero-trust architecture must extend to internal messaging platforms. The exposure of government communications—even those in "public" channels—presents serious operational security risks and potential intelligence leaks. This incident underscores the need for enhanced monitoring, anomaly detection, and rapid response capabilities for internal messaging ecosystems.

Technical Analysis

Affected Platforms

  • Product: Tchap (French Government encrypted messaging platform)
  • Platform: Cross-platform (mobile and desktop clients)
  • Deployment: French government civil services (mandatory since 2025)

Attack Vector

According to ANSSI's analysis, the breach originated from a single compromised account. The attackers leveraged this initial foothold to access and exfiltrate data from public channels within the Tchap environment. While the specific credential theft method remains under investigation, the attack pattern suggests:

  1. Initial account credential compromise (phishing, credential stuffing, or session hijacking)
  2. Successful authentication to Tchap platform
  3. Access and exfiltration of public channel message history
  4. Potential lateral movement to related channels and direct messages

Exploitation Status

  • Confirmed Active Exploitation: Yes (detected by ANSSI on June 7, 2026)
  • Government Alert: ANSSI has issued active warnings to all Tchap users
  • Data Impact: Public channel messages and associated metadata exposed

Critical Risk Factors

The Tchap architecture, like many enterprise messaging platforms, relies on the premise that authenticated accounts are trusted. This breach demonstrates that:

  • Compromised valid credentials bypass perimeter defenses
  • Public channels may contain sensitive operational data
  • Message history access controls may be insufficient
  • Anomalous access patterns may go undetected without robust monitoring

Detection & Response

SIGMA Rules

YAML
---
title: Tchap Anomalous Large Message History Export
id: 9f2e8a14-3d7f-4c5e-9b1a-7c6d5e4f3a2b
status: experimental
description: Detects potential bulk message export from Tchap messaging platform indicating data exfiltration
references:
  - https://www.ssi.gouv.fr/
author: Security Arsenal
date: 2026/06/08
tags:
  - attack.exfiltration
  - attack.t1567
logsource:
  category: webserver
  product: apache
detection:
  selection:
    cs-uri-query|contains:
      - '/api/v4/messages/export'
      - '/api/messages/batch'
    sc-status:
      - 200
  filter:
    cs-uri-query|contains:
      - 'limit=50'
  timeframe: 5m
  condition: selection and not filter | count() > 10
falsepositives:
  - Legitimate archival activities by authorized personnel
level: high
---
title: Tchap Unusual Geographic Access Pattern
id: 8a1d7f23-4e6c-5d8f-0c2b-3a4e5d6c7b8a
status: experimental
description: Detects Tchap access from unusual geographic locations or impossible travel scenarios
references:
  - https://www.ssi.gouv.fr/
author: Security Arsenal
date: 2026/06/08
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: authentication
  product: azuread
detection:
  selection:
    AppDisplayName|contains: 'Tchap'
  timeframe: 2h
  condition: selection | count() by SourceIPAddress, UserId > 1
falsepositives:
  - Traveling government officials
  - VPN/proxy usage
level: medium
---
title: Tchap Account Authentication Spike
id: 7b2c6e34-5f7d-6e9f-1d3c-4b5f6e7d8c9b
status: experimental
description: Detects suspicious authentication spikes to Tchap potentially indicating credential stuffing
references:
  - https://www.ssi.gouv.fr/
author: Security Arsenal
date: 2026/06/08
tags:
  - attack.credential_access
  - attack.t1110
logsource:
  category: authentication
  product: azuread
detection:
  selection:
    AppDisplayName|contains: 'Tchap'
    Result: 'Failure'
  timeframe: 15m
  condition: selection | count() by UserId > 20
falsepositives:
  - Account lockouts due to legitimate password errors
  - Integration misconfigurations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Tchap anomalous access patterns
let TchapApp = \"*Tchap*\";
let Threshold_FailedLogons = 10;
let TimeWindow = 1h;
SigninLogs
| where AppDisplayName contains TchapApp
| extend Location = strcat(City, \", \", State, \", \", CountryOrRegion)
| summarize FailedLogons=countif(Result == \"Failure\"),
            SuccessfulLogons=countif(Result == \"Success\"),
            UniqueIPs=dcount(SourceIPAddress),
            Locations=make_set(Location, 10)
            by UserId, UserPrincipalName, bin(TimeGenerated, TimeWindow)
| where FailedLogons >= Threshold_FailedLogons or SuccessfulLogons > 100
| extend RiskScore = iff(FailedLogons >= Threshold_FailedLogons, \"High\", \"Medium\")
| project TimeGenerated, UserPrincipalName, FailedLogons, SuccessfulLogons, 
          UniqueIPs, Locations, RiskScore
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Tchap client artifacts and suspicious process activity
SELECT Timestamp, Username, ProcessName, CommandLine, Exe, Pid, PPid
FROM pslist()
WHERE ProcessName =~ 'Tchap'
   OR ProcessName =~ 'tchap'
   OR CommandLine =~ 'tchap'
   OR Exe =~ 'Tchap.app'
   OR Exe =~ 'tchap.exe'

-- Check for Tchap data directories and recent modifications
SELECT FullPath, Size, Mtime, Atime, Mode, Type
FROM glob(globs='/*/Tchap/**')
WHERE Mtime > now() - 24h

-- Hunt for suspicious network connections from Tchap processes
SELECT Connection.Pid, Connection.RemoteAddr, Connection.RemotePort, 
       Connection.State, pslist.Name as ProcessName, pslist.Username
FROM netstat()
LEFT JOIN pslist() ON Connection.Pid = pslist.Pid
WHERE pslist.Name =~ 'Tchap' 
   AND Connection.State =~ 'ESTABLISHED'
   AND Connection.RemotePort NOT IN (443, 80, 5222, 5223)

Remediation Script (PowerShell)

PowerShell
# Tchap Security Hardening and Incident Response Script
# Run with administrative privileges

# Function to check for running Tchap processes
function Check-TchapProcesses {
    Write-Host \"[*] Checking for running Tchap processes...\" -ForegroundColor Cyan
    $tchapProcesses = Get-Process | Where-Object { $_.ProcessName -like \"*tchap*\" -or $_.MainWindowTitle -like \"*Tchap*\" }
    
    if ($tchapProcesses) {
        Write-Host \"[!] Found running Tchap processes:\" -ForegroundColor Yellow
        $tchapProcesses | Format-Table Id, ProcessName, StartTime, MainWindowTitle -AutoSize
        return $true
    } else {
        Write-Host \"[+] No Tchap processes found running.\" -ForegroundColor Green
        return $false
    }
}

# Function to check Tchap configuration files for suspicious settings
function Check-TchapConfig {
    Write-Host \"[*] Checking Tchap configuration files...\" -ForegroundColor Cyan
    
    $configPaths = @(
        \"$env:LOCALAPPDATA\\Tchap\",
        \"$env:APPDATA\\Tchap\",
        \"$env:PROGRAMDATA\\Tchap\"
    )
    
    foreach ($path in $configPaths) {
        if (Test-Path $path) {
            Write-Host \"[+] Found Tchap config directory: $path\" -ForegroundColor Green
            
            # Check for recently modified files
            $recentFiles = Get-ChildItem -Path $path -Recurse -File | 
                          Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }
            
            if ($recentFiles) {
                Write-Host \"[!] Recently modified files found:\" -ForegroundColor Yellow
                $recentFiles | Format-Table FullName, LastWriteTime, Length -AutoSize
            }
        }
    }
}

# Function to check for suspicious logon events
function Check-SuspiciousLogons {
    Write-Host \"[*] Checking for suspicious Tchap logon events...\" -ForegroundColor Cyan
    
    $events = Get-WinEvent -LogName Security -FilterXPath \"*[System[(EventID=4624)]] and *[EventData[Data[@Name='ProcessName'] and (Data='*Tchap*' or Data='*tchap*')]]\" -ErrorAction SilentlyContinue
    
    if ($events) {
        $recentEvents = $events | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
        
        if ($recentEvents) {
            Write-Host \"[!] Found recent Tchap logon events:\" -ForegroundColor Yellow
            $recentEvents | Format-Table TimeCreated, Id, Message -AutoSize -Wrap
        }
    }
}

# Main execution
Write-Host \"========================================\" -ForegroundColor Magenta
Write-Host \" Tchap Security Hardening Script\" -ForegroundColor Magenta
Write-Host \"========================================\" -ForegroundColor Magenta
Write-Host \"\"

Check-TchapProcesses
Check-TchapConfig
Check-SuspiciousLogons

Write-Host \"\"
Write-Host \"[*] Script completed. Review findings above.\" -ForegroundColor Cyan
Write-Host \"[*] Recommended: Force password reset for all Tchap users if compromise suspected.\
incident-responseransomwarebreach-responseforensicsdfirtchapgovernment-appsaccount-compromise

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action